Privacy Policy

Thank you for choosing to be part of Our community at OncoC4, Inc. We are committed to protecting the privacy and security of Your Personal Data. If You have any questions or concerns about Our Privacy Notice, or Our practices with regards to Your Personal Data, please contact Us using the details outlined in the ‘Contact Us’ section below.

In this Privacy Notice, We seek to explain to You in the clearest way possible what information We collect, how We use it, what We do to keep it secure, and what rights and choices You have in relation to it. We hope You take some time to read through it carefully, so that You are aware of how and why We are using such information. This Privacy Notice applies to You if You are:

• A service user of this website (http://www.oncoc4.com),
• An OncoC4 clinical trial participant (inclusive of any partners, parents, or children in scope)
• A healthcare professional conducting an OncoC4 clinical trial
• An employee, contractor, or other associated party associated with OncoC4
• An employee, contractor, or other associated party contracted by OncoC4’s Service Providers; or,
• Any other individual with whom OncoC4 may conduct commercial operations.

Please read this Privacy Notice carefully as it will help You make informed decisions about sharing Your Personal Data with Us.

DEFINITIONS

For the purposes of this Privacy Notice:

• Company (referred to as either “OncoC4”, “the Company”, “We”, “Us” or “Our” in this Notice) refers to OncoC4, Inc, 9640 Medical Center Drive, Rockville, MD 20850, United States.
• Cookies are small files that are placed on Your computer, mobile device, or any other device by a website. Web browsers store the Cookies they receive for a predetermined period and attach the relevant Cookies to any future requests You make of the web server. Cookies have a variety of uses. Please refer to Our Cookie Policy (https://www.oncoc4.com/cookie-policy) for further information.
• Data Controller, for the purposes of both UK GDPR and EU GDPR, refers to the Company as the legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data. For both UK GDPR and EU GDPR, the Company is the Data Controller, unless otherwise stated.
• Data Processor, for the purposes of both UK GDPR and EU GDPR, refers to the Company’s Service Providers.
• Data Protection Legislation, is as defined in the Data Protection Legislation section below.
• Device means any device that can access the Service such as a computer, a mobile phone, or a digital tablet.
• Personal Datais any information that relates to an identified or identifiable individual. For both UK GDPR and EU GDPR, Personal Data means any information relating to You such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
• Service refers to the Website, unless otherwise stated.
• Service Providermeans any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used. For both UK GDPR and EU GDPR, Service Providers are considered Data Processors.
• Usage Datarefers to data collected automatically, either generated using the Service, or from the Service infrastructure itself (for example, the duration of a page visit).
• Website refers to the OncoC4 website, accessible from https://www.OncoC4.com/.
• You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable. Under both UK GDPR and EU GDPR (General Data Protection Regulation), You can be referred to as the Data Subject or as the User as You are the individual using the Service.

DATA PROTECTION LEGISLATION

Data Protection Legislation is referred to throughout this Privacy Notice. Where data is processed by a controller or processor established in the European Union (EU) or comprises the data of people in the European Union, it is subject to the General Data Protection Regulation (Regulation (EU) 2016/679) (‘EU GDPR’) as well as any local data protection implementation laws. This includes any replacement legislation coming into effect from time to time.

Where data is processed by a controller or processor established in the United Kingdom (EU) or comprises the data of people in the United Kingdom, it is subject to UK Data Protection Legislation, which includes the Data Protection Act 2018 (‘DPA 2018’), United Kingdom General Data Protection Regulation (‘UK GDPR’), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘PECR’) and any legislation implemented in connection with the aforementioned legislation.

In the United States of America (USA), Data Protection Legislation refers to any federal, state, sectoral, or case laws and regulations governing the privacy and security of personal data. This includes applicable state privacy legislation, including, but not limited to, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA); New York’s Shield Act; and Delaware’s Online Privacy and Protection Act (DOPPA), as well as other relevant state and federal regulations. This definition also encompasses any legislation implemented under these laws and any replacement or additional legislation enacted from time to time.

Depending on Your jurisdiction, additional Data Protection Legislation may apply. If You have any questions, You can contact Our Data Protection Officer (DPO), who We have appointed to help Us monitor internal compliance, inform, and advise on data protection obligations, and act as a point of contact for data subjects and supervisory authorities. For further details on how You can contact Our DPO, please see the ‘Contact Us’ section below.

THE INFORMATION WE COLLECT

We collect Personal Data that You voluntarily provide to Us when expressing an interest in obtaining information about Us or Our products and services, when participating in activities, or otherwise contacting Us. We only collect Personal Data that will be used in accordance with Data Protection Legislation and/or legislation related to clinical trials, such as the EU Clinical Trial Regulations (EU CTR).

The Personal Data that We collect depends on the context of Your interactions with Us and the Services, the choices You make and the products and features You use. The types of Personal Data We may collect will depend on whether You are;

• A service user of this Website
• An OncoC4 clinical trial participant
• A healthcare professional conducting an OncoC4 clinical trial, or,
• An employee, contractor, or other associated party associated with OncoC4, or OncoC4’s Service Providers.

Service User of this Website

• Your name
• Your contact details (email address)
• Your ‘Contact Us’ form responses (https://oncoc4.com/contact/)
• Your Usage Data (e.g., Your IP address)
• Cookies and Tracking Technologies

You are under no requirement or obligation to provide Us with Your Personal Data; however, We require at least this information for Us to deal with You as a Service User of this Website in an efficient and effective manner.

OncoC4 Clinical Trial Participant

• Your name*
• Your age*
• Your gender*
• Your contact information (telephone number and/or email address)*
• Where applicable, the name of your legally authorized representative*
• Where applicable, the name and contact details of your partner*
• Where applicable, the name and health details of your children*
• Your pseudonymized unique identification number(s)
• Your health data
• Your genetic data
• Your ethnicity

* This clinical trial participant identifiable information is collected by OncoC4’s Research Sites, acting on Our behalf as either Data Controllers or Data Processors. This data may be shared with clinicians, health authorities, ethics bodies and other personnel as authorized by OncoC4, but only where OncoC4 is legally obligated to provide this data in accordance with Clinical Trial Regulations and other applicable laws. OncoC4 will not themselves receive information which can directly identify a clinical trial participant, and will not instruct Our partner Data Controllers or Data Processors to process or share this identifying information other than where the law requires.

Healthcare Professional Conducting an OncoC4 Clinical Trial

• Your name and contact details (telephone number, email address, and/or mailing address)
• Where relevant, Your financial information (e.g., bank information)
• Where relevant, Your financial disclosure information (e.g., investment information relating to your spouse and/or adult children)
• Where relevant, Your employment history and employment details (e.g., role, seniority)
• Where relevant, Your professional credentials (e.g., awards, degrees)
• Where relevant, Your Research-related data (e.g., professional opinions, clinical trial involvement).

Employees, Contractors, or Other Associated Parties of OncoC4 or OncoC4’s Service Providers

• Your name
• Your date of birth
• Your contact information (telephone number, email address, and/or mailing address)
• Your employment details
• Where relevant, Your pseudonymized unique identification number(s) (e.g., payroll number)
• Where relevant, Your financial information (e.g., bank information)
• Where relevant, Your Right to Work information (e.g., nationality)
• Where relevant, Your health data (e.g., sick leave information)

All Personal Data that You provide to Us must be true, complete and accurate, and You must notify Us (using the contact details specified in the ‘Contact Us’ section below) of any changes to such Personal Data.

HOW WE USE YOUR INFORMATION

We use Personal Data for a variety of business purposes described below. We process Your Personal Data for these purposes in reliance on Our lawful bases for processing, which are:

• Our legitimate business interests;
• In order to enter into or perform a contract with you;
• With Your consent;
• Where it is in Your vital interest, or the vital interest of a third party; and/or,
• For compliance with Our legal obligations.

We will only use Your Personal Data for the purposes for which We collected it, unless We reasonably consider that We need to use it for another reason, and that reason is compatible with the original purpose. If We need to use Your Personal Data for an unrelated purpose, We will notify You and We will explain the lawful basis which allows Us to do so. We may process Your Personal Data without Your knowledge or consent, in compliance with this Privacy Notice, where this is required or permitted by law.

We may use the information We collect or receive for the following purposes:

HOW YOUR INFORMATION MAY BE SHARED

We may share Your Personal Data in the following situations:

• Vendors, Consultants, Strategic Clinical Trial Partners, and Other Third-Party Service Providers (“Data Processors”). We may share Your data with third party vendors, service providers, contractors or agents who perform services for Us or on Our behalf and require access to such information to do that work. Examples include, but are not limited to, Our Clinical Trial Data Processors, payment processing services, data analysis services, email delivery services, hosting services, IT service providers, customer service and marketing efforts. We may allow selected third parties to use tracking technology on the services, if You give Your consent, which will enable them to collect data about how You interact with the Services over time. This information may be used to, among other things, analyze and track data, determine the popularity of certain content and better understand online activity. Unless described in this Privacy Notice, We do not share, sell, rent or trade any of Your information with third parties for their promotional purposes. We have Data Processor Agreements in place with Our data processors. This means that they cannot do anything with Your Personal Data unless We have instructed them to do it. They will not share Your Personal Data with any organization apart from Us, or further sub-processors who must comply with Our Data Processor Agreement. They will hold it securely and retain it for the period We instruct.
• If the Law or a Public Authority says that We must share the Personal Data.
• If We need to share Personal Data to others to establish, exercise or defend Our legal rights (including for the purposes of detecting and preventing fraud)
• Business Transfers. We may share or transfer Your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of Our business to another company. The new owner or newly controlling party will, under the terms of this Privacy Notice, be permitted to use that data only for the purposes for which it was originally collected by Us.
• For purposes otherwise permitted under Data Protection Legislation.

COOKIES AND TRACKING TECHNOLOGIES

We use Cookies and similar tracking technologies to track the activity on Our Website, and store certain information. Specific information about how We use such technologies and how You can refuse certain cookies is set out in Our Cookie Policy (https://www.oncoc4.com/cookie-policy).

RETENTION OF YOUR INFORMATION

We will only keep Your Personal Data for as long as it is necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law (such as tax, accounting or other legal requirements).

When We have no ongoing legitimate business need to process Your Personal Data, We will either delete or anonymize it, or, if this is not possible (for example, because Your Personal Data has been stored in backup archives), then We will securely store Your Personal Data and isolate it from any further processing until deletion is possible.

KEEPING YOUR INFORMATION SAFE

We have implemented appropriate technical and organizational security measures designed to protect the security of any Personal Data We process.

We take security measures to protect Your information including:

• Deploying appropriate procedures and technical security measures (including strict encryption, anonymization and archiving techniques) to safeguard Your information across all Our computer systems, networks, websites, mobile apps, offices, and stores,
• Implementing access controls to Our information technology, buildings, and resources; and,
• Monitoring and communicating information on data breaches with You and/or with the applicable regulator when required to do so by law. If OncoC4 becomes aware of a data breach which has resulted or may result in unauthorized access, use or disclosure of Personal Data OncoC4 will promptly investigate the matter and notify the applicable Supervisory Authority not later than 72 hours after having become aware of it unless it is unlikely to result in a risk to Your rights and freedoms. OncoC4 will also communicate any Personal Data breaches that are likely to result in a high risk to Your rights and freedoms to You without undue delay.

Please also remember that We cannot guarantee that the internet itself is 100% secure. Although We will do Our best to protect Your Personal Data, the transmission of Personal Data to and from Our Services is at Your own risk. You should only access the Services within a secure environment.

INFORMATION FROM MINORS

With the exception of where we are obligated to do so by clinical trial regulations, we do not knowingly solicit data from or market to children under 13 years of age. By using the Services, You represent that You are at least 13 or that You are the parent or guardian of such a minor and consent to such minor dependent’s use of the Services. If We learn that Personal Data from users less than 13 years of age has been collected, We will deactivate the account and take reasonable measures to promptly delete such data from Our records. If You become aware of any data We have collected from children under age 13, please contact Us using the details outlined in the ‘Contact Us’ section below.

OUR COMMUNICATION CHANNELS

Where you are a clinical trial participant or a Healthcare Professional involved in the planning, delivery, or oversight of an OncoC4 clinical trial, we will contact you through our Contracted Research Organization (CRO) where it is necessary to do so.

Where you are an employee of OncoC4, we will contact you through existing OncoC4 communication channels, including email, where it is appropriate to do so.

Where you are an employee of OncoC4’s Service Providers, a user of this website who has provided us with your contact information, or any other business contact, we will send you relevant news about our services in a number of ways including by email, but only if we have a legitimate interest to do so. Where we do not have a legitimate interest, we will not send you marketing communications unless we have asked for, and gained, your consent. We make every effort to ensure that we only send such communications to those acting in a business capacity and do not send such materials to consumers via personal email addresses if it is clear they are not acting in such a capacity or have not otherwise provided their consent.

All email communications will have an option to unsubscribe and so if you wish to amend your marketing preferences, you can do so by following the link in the email and updating your preferences. Alternatively, you can contact our DPO using the contact details provided in the ‘Contact Us’ section below.

GIVING REVIEWS AND SHARING YOUR THOUGHTS

When using Our website and other Services, You may be able to share information through social networks like Facebook and Twitter. For example, when You ‘like’, ‘share’ or review Our Services. When doing this, Your Personal Data may be visible to the providers of those social networks and/or their other users. Please remember it is Your responsibility to set appropriate privacy settings on Your social network accounts so that You are comfortable with how Your information is used and shared on them.

THIRD PARTY WEBSITES AND LINKS

Our Website may contain links to other sites operated by third parties. The Company does not control such other sites and is not responsible for their content, their privacy policies, or their use of Personal Data. The Company’s inclusion of such links does not imply any endorsement of the content on such sites or of their owners or operators except as disclosed through the Services. Any information submitted by You directly to these third parties is subject to that third party’s privacy policy.

We expressly disclaim any and all liability for the actions of third parties, including but without limitation to actions relating to the use and/or disclosure of Personal Data by third parties.

YOUR PRIVACY RIGHTS

In some regions, like the European Economic Area (EEA) or United Kingdom, You have certain rights under applicable Data Protection Legislation. These may include;

• The right to be informed about Our collection and use of Personal Data. We ensure We do this by publishing this Privacy Notice, which is regularly reviewed to ensure it is accurate, and reflects Our data processing activities.
• The right to request access and obtain a copy of Your Personal Data. If We agree that We are obliged to provide Personal Data to You or someone else on Your behalf, We will provide it to You or them free of charge, and aim to do so within one month from when Your identity has been confirmed. In the event You would like to exercise this right, We will ask for proof of identity, and information about Your interactions with Us to enable Us to locate Your Personal Data.
• The right to request rectification or erasure. If any of the Personal Data We hold about You is inaccurate, incomplete, or out of date, You may ask Us to correct it. You also have the right to have Personal Data erased. This right is not absolute, and only applies in certain circumstances. For example, the right to have Personal Data erased does not apply where We have a legal obligation to retain Your Personal Data.
• The right to restrict the processing of Your Personal Data, for example, if You feel the Personal Data We hold is inaccurate. This right is not absolute, and only applies in certain circumstances.
• The right to data portability allows You to receive Personal Data You have provided in a structured, commonly used, and machine-readable format, and to request that We transmit this data directly to another Data Controller.
• In certain circumstances, You may have the right to object to the processing of Your Personal Data. This is an absolute right when We use Your data for direct marketing, but may not apply in other circumstances.

To make such a request, please use the contact details provided below in the ‘Contact Us’ section. We will consider and act upon any request in accordance with applicable Data Protection Legislation.

Please note, OncoC4 does not intend to conduct any automated decision-making using Your Personal Data.

If We are relying on Your consent to process Your Personal Data, You have the right to withdraw Your consent at any time. Please note however that this will not affect the lawfulness of the processing before its withdrawal.

You can make a complaint to Your supervisory authority at any time about the way We use Your information. However, We hope that You would consider raising any issue or complaint You have with Us first. Your satisfaction is extremely important to Us, and We will always do Our very best to solve any problems You may have.

If You are resident in the European Economic Area and You believe We are unlawfully processing Your Personal Data, You have the right to complain to Your local data protection supervisory authority. You can find their contact details here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

In the UK, the Information Commissioner’s Office (ICO) regulates data protection and privacy matters. They make a lot of information accessible to consumers on their website, which You can access here: https://ico.org.uk/for-the-public. You can also make a complaint directly to us using the details outlined in the ‘Contact Us’ section below.

CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track (“DNT”) feature or setting You can activate to signal Your privacy preference not to have data about Your online browsing activities monitored and collected. No uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, We do not currently respond to DNT browser signals or any other mechanism that automatically communicates Your choice not to be tracked online. If a standard for online tracking is adopted that We must follow in the future, We will inform You about that practice in a revised version of this privacy policy.

INTERNATIONAL TRANSFERS

Your Personal Data is processed at the Company’s operating offices and in any other places where the parties involved in the processing are located. This means that this information may be transferred to Devices located outside of Your state, province, country, or other governmental jurisdiction where the Data Protection Legislation may differ than those from Your jurisdiction. When OncoC4 shares clinical trials data with Data Processors, Your Personal Data would be stored and processed within third countries. Where this occurs, OncoC4 will ensure that:

• The security and confidentiality of Your Personal Data is always secure;
• Any Data Controller receiving Your Personal Data has entered into an agreement with OncoC4 which contains standard data protection clauses as required by UK GDPR and/or EU GDPR or there is an alternative appropriate safeguard in place governing the transfer; and,
• Any Data Processor receiving Your Personal Data has entered into an agreement with OncoC4 which contains the required Data Processor clauses as well as standard data protection clauses as required by UK GDPR and/or EU GDPR or there is an alternative appropriate safeguard in place governing the transfer.

Where You are based in the UK or EEA and We were required to transfer Your Personal Data out of the UK or EEA to countries not deemed by the ICO or European Commission (as relevant) to provide an adequate level of Personal Data protection, the transfer will be based on safeguards that allow Us to conduct the transfer in accordance with the Data Protection Legislation, such as the specific contracts containing standard data protection clauses approved by the ICO or European Commission (as relevant) providing adequate protection of Personal Data. You can obtain a copy of this documentation by contacting our UK Representative, EU Representative, or DPO identified in the ‘Contact Us’ section below.

PRIVACY RIGHTS OF UNITED STATES RESIDENTS

United States – California Data Protection Legislation

If You are a resident of California, You are granted specific rights regarding access to Your Personal Data. The California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPRA”) requires that We provide You with a privacy policy of Our online and offline information practices and Your rights under this law regarding Your Personal Data information.

We currently collect, share, disclose, and use Your personal information. In the 12 months prior to the last updated date of this Privacy Notice, We have collected, shared, disclosed the personal information set out in the ‘The Information We Collect’ section above. We may collect personal information directly from California and other USA state residents, credit reporting agencies, and/or Our third-party service providers. We do not collect all categories of personal information from each source.

California Civil Code Section 1798.83, also known as the “Shine The Light” law, permits Our users who are California residents to request and obtain from Us, once a year and free of charge, information about categories of Personal Data (if any) We disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which We shared Personal Data in the immediately preceding calendar year. If You are a California resident and would like to make such a request, please submit Your request in writing to Us using the contact information provided below.

California residents are afforded the following rights:

• to delete Your personal information, unless We:
  • can prove this to be impossible;
  • it involves disproportionate effort; or
  • it is reasonably necessary for Us to maintain records in order to fulfil the transaction(s) for which the personal information was collected;
• to correct inaccurate personal information held about you;
• to know what personal information is sold or shared and to whom (this right is fulfilled with the information provided within this Notice);
• to request specific pieces of information from Us;
• to opt out of the sale or sharing of Your personal information;
• to limit use and disclosure of sensitive personal data; and,
• to no retaliation following opt-out or exercise of other rights.

If You would like to contact Us regarding this right, please contact Us using the details provided in the ‘Contact Us’ section as set out below. Please note that We may need to verify Your identity before processing Your request. Rights requests shall be reviewed to see if an exemption allows Us to retain the information. We may deny Your deletion request if an exemption applies and/or if retaining the information is necessary for Us or our Service Provider(s), for example to detect fraudulent activity or comply with a legal obligation. We will delete, de-identify, or limit the scope of personal information not subject to an exemption from our records and will direct our Service Providers to take similar action.

United States – Other Data Protection Legislation

If You are a USA resident, We process Your personal data in accordance with applicable USA state data privacy laws, including the CCPA/CPRA described above. This section of Our Privacy Notice contains information required by other USA state data privacy laws and supplements the above section on CCPA/CPRA.

Several USA states have enacted comprehensive privacy statutes, including, but not limited to Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia. These laws include provisions aimed at safeguarding consumer rights and outlining business obligations. If You have relevant rights under these laws, You can exercise them by contacting Us using the details provided in the ‘Contact Us’ section as set out below.

Our practices are designed to adhere to the highest standards set forth by these laws, ensuring that We respect the privacy rights of all individuals. As the USA privacy laws continue to evolve, We will monitor these changes, adjust Our privacy practices, and update Our Privacy Notice(s) accordingly.

We Do Not Sell Your Personal Information

You have the right to know whether Your personal information is being sold. Your personal information is “sold” when it is provided to a third party for monetary or other valuable consideration for a purpose that is not a “business purpose” as set forth in the CCPA or other USA state data privacy laws. Please note a “sale” does not include when We disclose Your personal information at Your direction, or when otherwise permitted under law.

We May Share Your Personal Information

We may “share” Your personal data, as defined under California and other applicable USA state laws, for personalised advertising purposes and/or for any other purposes outlined in this Privacy Notice.

Non-Discrimination

USA state privacy laws prohibit businesses from discriminating against You for exercising Your rights under the law. Such discrimination may include denying goods or services, providing a different level or quality of service, or charging different prices. The CCPA permits businesses to provide differing levels or quality or different prices where the business can demonstrate that the difference is reasonably related to the value to the business of the consumer’s personal information.

UPDATES TO THIS PRIVACY NOTICE

We may update this Privacy Notice from time to time. If We make material changes to this Privacy Notice, We may notify You either by prominently posting a notice of such changes or by directly sending You a notification. We encourage You to review this Privacy Notice frequently to be informed of how We are protecting Your information.

CONTACT US

If you would like to exercise one of your rights as set out above, or you have a question or a complaint about this notice or the way your Personal Data is processed, please contact us by one of the following means:

The OncoC4 Data Protection Officer (DPO):
The DPO Centre Netherlands B.V. (Dr. Lawrence Carter),
Vijzelstraat 68, Amsterdam 1017HL, Netherlands.
+31202091510
Email: [email protected]

Our EU Representative:
The DPO Centre Europe Ltd,
Alexandra House, 3 Ballsbridge Park, Dublin, DO4C 7H2, Ireland.
+35316319460
Email: [email protected]

Our UK Representative:
The DPO Centre Limited,
50 Liverpool Street, London EC2M 7PY, UK.
+442037971289
Email: [email protected]

Thank you for taking time to read this privacy notice.